The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.02 - February (2012 vol.61)
pp: 213-221
SangKyun Yun , Yonsei University, Wonju
ABSTRACT
This paper proposes a state encoding scheme called a covered state encoding for the efficient TCAM-based implementation of the Aho-Corasick multipattern matching algorithm, which is widely used in network intrusion detection systems. Since the information of failure transitions of the Aho-Corasick Nondeterministic Finite Automata (NFA) is implicitly captured in the covered state encoding and the failure transition entries can be completely eliminated, the Aho-Corasick NFA can be implemented on a TCAM with smaller number of entries than other schemes. We also propose constructing the modified Aho-Corasick NFA for multicharacter processing, which can be implemented on a TCAM using the covered state encoding. The implementation of modified Aho-Corasick NFA using the covered state encoding is also superior to other schemes in both TCAM memory requirement and lookup speed.
INDEX TERMS
String matching, multipattern matching, TCAM, intrusion detection system, Aho-Corasick algorithm.
CITATION
SangKyun Yun, "An Efficient TCAM-Based Implementation of Multipattern Matching Using Covered State Encoding", IEEE Transactions on Computers, vol.61, no. 2, pp. 213-221, February 2012, doi:10.1109/TC.2010.273
REFERENCES
[1] M. Alicherry, M. Muthuprasanna, and V. Kumar, "High Speed Pattern Matching for Network IDS/IPS," Proc. 14th IEEE Int'l Conf. Network Protocols (ICNP), vol. 11, pp. 187-196, 2006.
[2] M. Alicherry and M. Muthuprasanna, "Method and System for Multi-Character Multi-Pattern Pattern Matching," US Patent Application No. 20080046423, Feb. 2008.
[3] M. Gould, R. Barrie, D. Williams, and N. de Jong, "Apparatus and Method for Memory Efficient, Programmable, Pattern Matching Finite State Machine Hardware," US Patent No. 7082044 B2, July 2006.
[4] M. Gao, K. Zhang, and J. Lu, "Efficient Packet Matching for Gigabit Network Intrusion Detection Using TCAMs," Proc. 20th Int'l Conf. Advanced Information Networking and Applications (AINA), 2006.
[5] F. Yu, R. Katz, and T. Lakshman, "Gigabit Rate Packet Pattern-Matching Using TCAM," Proc. 12th IEEE Int'l Conf. Network Protocols (ICNP '04), pp. 174-183, 2004.
[6] Y. Weinsberg, S. Tzur-David, D. Dolev, and T. Anker, "High Performance String Matching Algorithm for a Network Intrusion Prevention System (NIPS)," Proc. IEEE High Performance Switching and Routing (HPSR), pp. 147-154, 2006.
[7] S. Dharmapurikar, M. Attig, and J. Lockwood, "Deep Packet Inspection Using Parallel Bloom Filters," IEEE Micro, vol. 24, no. 1, pp. 52-61, Jan./Feb. 2004.
[8] N. Tuck, T. Sherwood, B. Calder, and G. Varghese, "Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection," Proc. IEEE INFOCOM, vol. 4, pp. 2628-2639, 2004.
[9] L. Tan, B. Brotherton, and T. Sherwood, "Bit-Split String-Matching Engines for Intrusion Detection and Prevention," ACM Trans. Architecture and Code Optimization, vol. 3, no. 1, pp. 3-34, 2006.
[10] J. van Lunteren, "High-Performance Pattern-Matching for Intrusion Detection," Proc. IEEE INFOCOM, vol. 4, 2006.
[11] A. Bremler-Barr, D. Hay, and Y. Koral, "CompactDFA: Generic State Machine Compression for Scalable Pattern Matching," Proc. IEEE INFOCOM, 2010.
[12] C. Clark and D. Schimmel, "Scalable Pattern Matching for High Speed Networks," Proc. 12th Ann. IEEE Symp. Field-Programmable Custom Computing Machines (FCCM), 2004.
[13] B. Hutchings, R. Franklin, and D. Carver, "Assisting Network Intrusion Detection with Reconfigurable Hardware," Proc. 10th Ann. IEEE Symp. Field-Programmable Custom Computing Machines (FCCM), pp. 111-120, 2002.
[14] I. Sourdis and D. Pnevmatikatos, "Pre-Decoded Cams for Efficient and High-Speed NIDS Pattern Matching," Proc. 12th Ann. IEEE Symp. Field-Programmable Custom Computing Machines (FCCM), pp. 258-267, 2004.
[15] Y.H. Cho, S. Navab, and W.H. Mangione-Smith, "Specialized Hardware for Deep Network Packet Filtering," Proc. 12th Int'l Conf. Field-Programmable Logic and Applications (FPL), pp. 337-357, 2002.
[16] A. Aho and M. Corasick, "Efficient String Matching: An Aid to Bibliographic Search," Comm. ACM, vol. 18, no. 6, pp. 333-340, 1975.
[17] D.E. Knuth, J. James, H. Morris, and V.R. Pratt, "Fast Pattern Matching in Strings," SIAM J. Computing, vol. 6, no. 2, pp. 323-350, 1977.
[18] SNORT Official Web Site, http:/www.snort.org, 2011.
[19] ClamAV Official Web Site, http:/www.clamav.net, 2011.
19 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool